HIDS Deployment on Windows

Copyright© 2016 AlienVault. All rights reserved.

AlienVault Unified Security Management™ for Government v4.12 &

RT Logic CyberC4:Alert v4.12

HIDS Deployment on Windows

AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective

companies.

DOCUMENT HISTORY AND VERSION CONTROL

Edition Date of Issue Description of Change(s) 01 08/01/15 Initial Version

AlienVault Unified Security Management™ for Government v4.12


AVUG-00127 Edition 01 Copyright© 2016 AlienVault. All rights reserved. Page 3 of 9

TABLE OF CONTENTS

1. Introduction ............................................................................................................. 4

2. PREREQUISITES ..................................................................................................... 4

3. PRECONFIGURED MANUAL INSTALLATION ....................................................... 4

4. VALIDATION ............................................................................................................ 5 4.1. Validation On the Client .............................................................................................. 6 4.2. On the Server ............................................................................................................. 7

5. LOG MANAGEMENT ............................................................................................... 8




1. INTRODUCTION AlienVault USM for Government includes a built-in host-based intrusion detection (HIDS) agent that includes the following core features:

1. Log Monitoring and Collection 2. File Integrity Checking 3. Windows Registry Integrity Checking 4. Active Response

The AlienVault HIDS agent operates via server/agent architecture, with some limited support for agentless operation with certain operating systems.

Agents are deployed to client systems and run as a continuous in-memory service, communicating with the central server via UDP port 1514. Therefore, be sure to open this port on any internal firewalls to allow the traffic to go through.

2. PREREQUISITES • A host to be monitored running:

o Windows Server 2003 and 2008 o Windows 7, XP, 2000 and Vista

• An account with administrative rights for installation

3. PRECONFIGURED MANUAL INSTALLATION For Windows Client Hosts, AlienVault can generate a pre-configured binary – this binary will install without the need for any additional configuration. The binary will already have the appropriate server configuration and authentication key embedded in the installation binary.

1. Navigate to “Environment > Detection > HIDS” and choose Agents. 2. Click on ADD AGENT: 3. Enter the details of the agent to be added – either its fixed IP address, or the CIDR

subnet if it will have an address assigned by DHCP.




4. Once an entry for the new agent is added, from the icon string to the right of the row for

the new agent. Click on Download Preconfigured Agent for Windows icon ( ):

Figure 1. Detection option: “download preconfigured agent for Windows”

5. The system will assemble a preconfigured binary, this may take a short time to complete.

6. The assembled installer will then be downloaded. The file name will resemble the following: ossec_installer_564dabd0-fa1c-fd4c-d391-8feedf3246ff_001.exe

7. If necessary, move this generated installer binary to the intended client host for installation.

8. Open the executable, the installer will briefly run in a console window, then display the Installer progress UI for a short time, and, finally, exiting after completing the installation.

9. Skip to the Validation section of this document after this has been completed.

4. VALIDATION Validating a successful pairing between the new client agent and the AlienVault Server can be performed from both sides of the connection.




4.1. VALIDATION ON THE CLIENT The agent maintains a local log file regarding its operation; this can be accessed more directly via the “Agent Manager > View menu > View Logs”.

Figure 2. OSSEC Agent Manager: “View” menu

The log file will open in your system’s default application for .txt files (typically notepad).

A successful connection to the server will create a log entry similar to this:

2013/05/28 10:53:42 ossec-agent(4102): INFO: Connected to the server (192.168.1.240:1514).

2013/05/28 10:53:42 ossec-agent Sending keep alive message....

Should the client agent not be able to connect to the OSSEC Service on the AlienVault server, you will instead see log entries like this:

2013/05/28 12:20:15 ossec-agent(4101): WARN: Waiting for server reply (not started). Tried: '192.168.1.240'.

2013/05/28 12:25:05 ossec-agent: INFO: Trying to connect to server (192.168.1.240:1514).

2013/05/28 12:25:05 ossec-agent: INFO: Using IPv4 for: 192.168.1.240




4.2. ON THE SERVER From the AlienVault web UI, open the OSSEC configuration panel through “Environment > Detection > HIDS”. Look for the Agent’s listing at the bottom of the main panel, for your newly created agent to be marked as Active:

Figure 3. OSSEC configuration panel

The trend chart will not immediately populate, requiring logs to be received from the client for a period of time beforehand.

Your Client Installation is now completed.

When re-launching the OSSEC “manage agent” tool under windows, it must always be started using the “run as Administrator” option. If not done so it will indicate, falsely, that the agent is not running, service status will be unavailable, and agent status logs will not be permitted to be viewed.




5. LOG MANAGEMENT Event logs provide all the information you need to troubleshoot operational errors, and investigate potential security exposures.

Navigate to “Analysis > Security Events (SIEM)”. The window is similar to the following:

Figure 4. Security Events (SIEM)




Navigate to “Analysis > Raw Logs” to view Logger logs:

Figure 5. Raw Logs

Documents

HIDS Deployment on Windows